On Fri, Sep 11, 2015 at 7:31 AM, Chris Cowley <chriscowleyso...@gmail.com>
wrote:
> When I run
>
>
> /opt/puppetlabs/bin/puppet node find <nodename>
>
> I get the expected wall of JSON and agents work fine too.
>
By default, this will generate a node object for the nodename you
specified, but add the local host's fact information, and return that as
JSON. It's probably not what you're wanting to do:
$ puppet node find foo
{
"name": "foo",
"parameters": {
..
"fqdn": "arcturus.delivery.puppetlabs.net",
..
}
To access the puppetmaster's REST API, you'll need to do:
puppet node find <nodename> --terminus rest
>
> However, I would like to set up monitoring. When I run:
>
> curl --cert /etc/puppetlabs/puppet/ssl/certs/mymachine.pem \
> --key /etc/puppetlabs/puppet/ssl/private_keys/mymachine.pem \
> --cacert /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem \
> -H 'Accept: pson' \
>
> https://<puppetmaster>:8140/puppet/v3/catalog/<nodename>?environment=production
>
> the server returns Error 403: Forbidden
>
> Is there something in auth.conf to add to enable acces to API outside of
> CLI?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/ebdac597-b4c4-4677-ba7a-ab74da9092dd%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/ebdac597-b4c4-4677-ba7a-ab74da9092dd%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
By default, puppet only allows a node to get its own catalog (see
https://github.com/puppetlabs/puppet/blob/4.2.0/conf/auth.conf#L67-L70).
This means the common name component of the subject's distinguished name in
your client cert, e.g. mymachine, needs to match exactly the <nodename> for
the catalog you're requesting.
You can also add an ACL to auth.conf to allow a monitoring/controller node
to retrieve all catalogs. Just make sure to only allow the one node to do
that.
path ~ ^/puppet/v3/catalog/
method find
allow <subject CN of monitoring node>
Josh
--
Josh Cooper
Developer, Puppet Labs
*PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland,
Oregon! Join us October 5-9.*
*Register now to take advantage of the Final Countdown discount
<https://www.eventbrite.com/e/puppetconf-2015-october-5-9-register-now-its-the-final-countdown-tickets-13115894995?discount=FinalCountdown>
*
*—**save $149!*
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unJc%3D2JOrOY23EL6HGb4r0NF_pZ9OQ5d5WDk%2BwAmvHOZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
